A Missouri company was of the opinion that they had every right to sue a bank in order to recover $440,000 stolen from them by a cyberheist in 2010. As it turned out, the appellate court did not only find it unwarranted for the firm to sue the bank, it also ruled that the bank’s legal fees be covered by the plaintiff. It is highly unlikely that cyberheists victims will be running to court with similar cases.
The Bancorp South Inc. which is located in Tupelo City in Missouri got hacked into by hackers. The criminals stole Choice Escrow and Land Title LLC’s online banking Username and password. These credentials were then used to make illegal wire transfers amounting to $440,000 to a Cyprus-based corporate bank account.
At the time when the cyber heist was being carried out, the bank’s best online security authentication control was ‘dual control’. This system requires one customer to have one ID and password in order to approve the transfer and a separate set of ID and password to release the transfer. A customer’s other online transaction choice at that time was to perform both the approval and release functions of a wire transfer using one set of ID and password.
In 2005, Federal Financial Institutions Examination Council (FFIEC) required that all financial institutions stop using a single-factor authentication online security control system. The council argued that this control system was inadequate especially for the high-risk transactions like wire transfers which often involve moving large sums of money. Choice Escrow’s legal representatives argued on this premise.
The initial trial court was unmoved by the cyberheist’s argument. When they pursued the case in an 8th Circuit Court of Appeals they still weren’t successful. In fact, the court now favored the defendants.
Dan Mitchell who is a lawyer chairing the data security practice at Bernstein Shur in Portland said that the ruling definitely favored the bank more than the actual victim. However as he adds, the bank had offered the customer two security authentication options –one where they could use single-factor authentication and the other where they could use dual-factor security controls. The bank had advised the customers on these two options and the customer went ahead to make an informed choice of picking the single-factor control. The bank definitely documented this and it is what the appellate court based its ruling on.
It is obvious that companies that get robbed of their hard earned monies from their bank accounts by cybercriminals have little room to argue their case in the courts today.